[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Bind/Ldappasswd

To: "Lee Hoffman" <lee_hoffman@brown.edu>, <OpenLDAP-software@OpenLDAP.org>
Subject: Re: Bind/Ldappasswd
From: Stephan Siano <stephan.siano@suse.de>
Date: Tue, 13 Nov 2001 08:14:10 +0100
In-reply-to: <001101c16bf9$b971db80$8eb89480@venomous>
References: <001101c16bf9$b971db80$8eb89480@venomous>

On Tuesday, 13. November 2001 05:14, Lee Hoffman wrote:
> Hey All,
> I seem to be having a problem is binding and userPasswords. I have two
> admin users (admin1 and admin2) that I want to be able to search and
> write to the directory. I then have a bunch of other users that I just
> want to be able to bind to the server (Im using cyrus with PAM-LDAP).

> # Define global ACLs to disable default read access.
> defaultaccess auth
>
> # Users Modify Thier Information
> access to * by self write
>
> # Software Access
> access to * by dn="uid=admin1,ou=users,dc=mydomain,dc=com" write
>
> access to * by dn="uid=admin2,ou=users,dc=mydomain,dc=com" read
>
> access to * by * auth


Hi,

most probably you want:

access to * by self write
            by dn="uid=admin1,ou=users,dc=mydomain,dc=com" write
            by dn="uid=admin2,ou=users,dc=mydomain,dc=com" read
            by * auth

access control is always eveluated from the beginning to the first match.
"access to * by self write" means that access is only granted to self, all 
other objects won't get any access at all. There is a section in the admin 
guide and in the FAQ about this issue.

Yours
Stephan Siano


-- 
Stephan Siano                           Mail:  Stephan.Siano@suse.de
SuSE Linux Solutions AG                 Phone: 06196 50951 31
Mergenthalerallee 45-47			Fax:   06196 409607
D-65760 Eschborn

References:
- Bind/Ldappasswd
  - From: "Lee Hoffman" <lee_hoffman@brown.edu>

Prev by Date: Bind/Ldappasswd
Next by Date: Re: RFC [Samba/NIS + LDAP]
Index(es):
- Chronological
- Thread